Você está na página 1de 23

Kinetix 5500 CIP Safety

Kinetix 5500 CIP Safety:

Hands-On Lab

Training Lab Manual

LAB 1: NETWORK (CIP) SAFETY (20-30 MINUTES) _____________________________________ 7

ABOUT THIS HANDS-ON LAB __________________________________________________ 7

LAB MATERIALS ___________________________________________________________ 7
DOCUMENT CONVENTIONS ____________________________________________________ 8
BEFORE YOU BEGIN ________________________________________________________ 8

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 5 of 23
Lab 1: Network (CIP) Safety (20-30 Minutes)
About This Hands-On Lab
This lab provides an overview of Network Safety for servo drives, enabled by CIP Safety.
The following sections explain what you’ll be doing in this lab session, and what you will need to do
to complete the hands-on exercises.
What You Will Accomplish In This Lab
As you complete the exercises in this hands-on session, you will:
 Learn about the basic safety standards applied to servo drives and variable frequency
 Examine the difference between various methods for Safe Torque Off (STO).
 See how to configure a Kinetix 5500 drive with Networked Safety.
 Review and write ladder logic that could be used to execute STO in a Kinetix 5500 drive.
Who Should Complete This Lab
This hands-on lab is intended for individuals who have:
 General Kinetix Motion Experience
 Working Knowledge of Studio 5000
 Ladder Programming Experience
Lab Materials
For this Hands-On lab, we have provided you with the following materials that will allow you to
complete the labs in this workbook.
This hands-on lab uses the following hardware:
 Kinetix 5500 (-ERS2) CIP Safety Drive
 ControlLogix Demo Box
This hands-on lab uses the following software:
 Studio 5000 v22
 FactoryTalk View ME v6.0

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 7 of 23
Document Conventions
Throughout this workbook, we have used the following conventions to help guide you through the
lab materials.
This style or symbol: Indicates:
Words shown in bold italics Any item or button that you must click on, or a menu name
(e.g., RSLogix 5000 or OK) from which you must choose an option or command. This will
be an actual name of an item that you see on your screen or
in an example.
Words shown in bold italics, An item that you must type in the specified field. This is
enclosed in single quotes information that you must supply based on your application
(e.g., 'Controller1') (e.g., a variable).
Note: When you type the text in the field, remember that you
do not need to type the quotes; simply type the words that
are contained within them (e.g., Controller1).
The text that appears inside of this gray box is supplemental
information regarding the lab materials, but not information
that is required reading in order for you to complete the lab
exercises. The text that follows this symbol may provide you
with helpful hints that can make it easier for you to use this
product. Most often, authors use this “Tip Text” style for
important information they want their students to see.
Note: If the mouse button is not specified in the text, you should click on the left mouse button.
Before You Begin
Even the most experienced motion control engineers occasionally struggle with complex
applications. This lab will cover advanced topics such as finding an optimal tradeoff between
response and stability when tuning, CAM instructions, drive multiplexing and more. Come along and
learn practical solutions to getting that machine really flying!

The following steps must be completed before starting the lab exercise:
1. Install an L72S GuardLogix Controller (or other L7xS Controller) into a ControlLogix rack.
2. Connect an Ethernet cable between the EN2T Ethernet module and the Stratix 8000.
3. Connect an Ethernet cable between the Kinetix 5500 drive and the Stratix 8000.

<Equipment Setup Here>

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 8 of 23
Safety Basics
Variable frequency drives, servo drives, and motors in general are covered by a variety of safety
standards. These standards fit into legal frameworks in different ways, depending on the region.
Some of the standards are written around components (such as a drive), and others are written
around the entire machine. The drives made by Rockwell Automation that support Functional
Safety are all certified by an independent third party (TÜV Rheinland) to the following product
Standard Title Description Kinetix Kinetix
5500 5500
Hardwired Networked
ISO Safety of Machinery - Safety- Uses Performance Levels to PLd PLe
13849-1 related Parts of Control Systems define the risk of random
Part 1: General principles for dangerous failure for simple
design devices, including
components, and machine
IEC Safety of Machinery - Functional Uses Safety Integrity Levels SILCL 2 SILCL 3
60261 safety of safety-related electrical, to define the risk of random
electronic, and programmable dangerous failure for
electronic control systems complex electronic devices,
such as Programmable
Automation Controllers, and
machine systems.
IEC Adjustable speed electrical power Defines the expected Check Check
61800-5- drive systems behavior for various safety
2 Part 5-2: Safety Requirements - functions that can be
Functional performed by variable
frequency drives and servo
IEC Functional safety of Uses Safety Integrity Levels SILCL 2 SILCL 3
61508 electrical/electronic/programmable to define the risk of random
electronic safety-related systems dangerous failure for any
scale of electronic control
system, from small
machines to very complex

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 9 of 23
Certification to these standards implies that the drive can be used as a subsystem in a safety
function up to the limit shown in the table. These certifications alone do not guarantee that the
drive is implemented in the proper way. There are many aspects of the Machine Safety Lifecycle
that are not covered in this tutorial that influence the overall Performance Level or Safety Integrity
Level of a machine, including the:
 Risk Assessment
 Functional Requirements
 Mitigation Design & Verification
 Installation & Validation
 Change Management & Improvements

For more information on any of these areas, please visit another session during this event focused
on Safety Lifecycle Management, or consult with your local Rockwell Automation or distributor

Safe Torque Off (STO)

One of the most visible and common hazards on machines comes from moving parts. Since many
of these parts are moving because of motors attached to them, let's focus on ways to make those
motors safe. At the most basic level, there is only one safety control function that can be performed
with a motor - removal of torque producing power. This was done traditionally with Lock Out Tag
Out (LOTO), to remove all sources of power from a machine. More recently, control power has
been left on and motor power was removed through a variety of means.
With across the line motors, contactors were commonly placed in front of the motor. These
contactors would be opened when a safety demand occurred, letting the motor coast to a stop.
Using multiple contactors on the output side would be required for Category 3 and Category 4

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 10 of 23
Since these contactors have to be sized relative to the current requirements of the motor, and then
upsized to reduce chances of welding (according to the best safety practices), these aren't very
convenient. They are also typically the most likely to fail in a high-cycle application. As an upside,
it is very easy to monitor for failures and simple for electricians to triage. As drives were added to
the control scheme, contactors maintained their relevance for a long time, but with some cautions:

 Opening a contactor between the drive and the motor could have very high voltages, depending
on the operational mode. This can lead to welding more frequently, and with older drives,
burning out the drive.
 Opening a contactor between the line and the drive requires the drive to completely reboot after
the safety demand is reset. This adds to the recovery time from safety demands, and
depending on the frequency of request, can lead to premature failure of the pre-charge circuitry
in the drive.
 Notice that the PLC doesn’t necessarily have any connection to the drive or the safety circuit.
They aren't inherently connected. A lot of extra wiring is required if the standard control system
needs to be aware of what is happening in the safety circuit, or with the drive.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 11 of 23
When the functionality of the contactors is embedded in the drive, this feature is called Safe Torque
Off, and it is generally accomplished by removing the internal gate driver enable AND the power
from the gate control circuitry in the drive. When these inputs to the Pulse Width Modulation portion
of the Inverter are removed, no torque can be produced at the motor. This means that the drive
never loses power, and recovering from the safety demand can be as simple as resetting the safety

Note: The hardwired external enable is not the same as the internal gate driver

Some of first drives with integrated Safe Torque Off use the DriveGuard platform, which combines
the hardwired external enable with a single safety input. This has been thoroughly vetted by third
party certification agencies, however it is important to emphasize that removing the external
hardwire enable to the drive is not a certified safety circuit without the DriveGuard addition. As you
can see on the block diagram, only one of the two channels is monitored for faults, and there is not
inherent diagnostics to validate that the two inputs are switching together. Again, the PLC does not
have any inherent connection to either the drive, or the safety circuit.

All of our newer drives have two dedicated safety inputs, and most do not have a dedicated
feedback output, and both safety inputs are wired through a safety control section of the drive.
Using solid state electronic relays are more consistent and reliable that electromechanical switches.
Failure rates for solid state devices tend to be dependent on time and temperature, instead of
number of cycles. This makes the potential for random device failure more predictable.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 12 of 23
Over the last decade, communication channels between field devices and controllers have evolved
to include "safe connections". The protocol used by Rockwell Automation is based on the CIP
Safety standard from ODVA. This standard is designed and certified for transport of data with high
integrity. This design includes sending the data over standard networks, in specialized packets to
remove the chances for data corruption. This is accomplished by using basic safety principles,
including Duality, Diversity, and Diagnostics.

Seamless communication in the past was nearly impossible because no single network was able to
integrate safety and standard control systems while also enabling the seamless transport of data
across multiple plant-floor physical networks. That changed with the Common Industrial Protocol
(CIP), an application protocol for industrial networking that is independent of the physical network.
The CIP protocol provides a set of common services for control, configuration, collection and
sharing across all of the CIP networks, DeviceNet, ControlNet and EtherNet/IP.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 13 of 23
CIP Safety also helps eliminate the need to install expensive and difficult-to-maintain gateways
between each network. Before the development of safety networks, engineers often had to use
smaller systems or minimize their performance requirements since it was difficult to hard-wire
interlocks and relay-based safety logic into a complete automation system. Now, engineers can
integrate their devices on common physical network segments and allow safety and standard
information to flow between devices and controllers.
The latest generation of Safe Torque Off drives includes the ability to safely remove torque using
the network connection, with CIP Safety over EtherNet/IP. That network connection can provide
tremendous diagnostics on the same wires that provide the standard control, and reduces your
wiring to an absolute minimum.

Safe Torque Off should be used for routine, repetitive, predictable actions, such as clearing a jam or
changing tooling. Safe Torque Off is not suitable for electrical work of any kind. While it removes
the ability to create torque, there can still be hazardous voltages present on the motor terminals.
This is why LOTO is still a crucial part of a safety strategy.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 14 of 23
Configure a Network Safety Drive
Follow these steps to see how to configure Kinetix 5500 drives with networked STO.

1. Open file Network_Safety_Begin.ACD.

2. From the I/O tree, right-click on the 1756-EN3TR Module (EN3TR_Drives) and choose New
Module… Attention! You will need to configure a 1756-EN2T Module for the equipment
provided for this lab.

The Select Module Type dialog appears.

3. By using the filters, check Motion and Allen-Bradley, and select your 2198-H008-ERS2 servo

4. Click the Create button.

The New Module dialog box appears.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 15 of 23
5. Configure the new drive.
1. Type the drive Name: UM_CIP_Drive.
2. Set Ethernet Address:
3. Under Module Definition click Change. The Module Definition dialog box appears.
4. From the Connection pull-down menu, choose the Connection mode; Motion and Safety

Note: When ‘Safety’ appears in the Connection mode, networked safety is implied.

6. Click OK on the Module Definition dialog.

7. The Safety Network Number (SNN) field populates automatically when the Connection mode
includes a networked Motion and Safety or Safety Only connection

For a detailed explanation of the safety network number, refer to the GuardLogix Controller
Systems Safety Reference Manual, publication 1756-RM099.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 16 of 23
Connection Controller Needed Description Description
Mode Drive Cat. No. 2198- Drive Cat. No. 2198-Hxxx-

Motion ControlLogix 1756- Only hardwired safe Motion is managed by this

only L7x, torque-off controller.
GuardLogix 1756- connections are Safety is managed by
L7xS, possible. another controller that has
or CompactLogix a Safety-only connection to
5370 the drive.

Motion and GuardLogix 1756- N/A Motion and Safety are

Safety L7xS managed by this controller.

Safety only GuardLogix 1756- N/A Safety is managed by this

L7xS controller.
Motion is managed by
another controller that has
a Motion-only connection to
the drive.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 17 of 23
8. Click OK to close the New Module dialog box. Your 2198-H008-ERS2 servo drive appears in
the Controller Organizer under the Ethernet controller in the I/O Configuration folder.

L72S provided for this lab.

1756-EN2T provided for this lab.

9. Right-click the drive you just created in the Controller Organizer and choose Properties.
The Module Properties dialog box appears.

10. Click the Safety tab.

The connection between the owner and the 2198-Hxxx-ERS2 drive is based on the following:
 Servo drive catalog number must be 2198-Hxxx-ERS2 (networked)
 Servo drive safety network number
 GuardLogix slot number
 GuardLogix safety network number
 Path from the GuardLogix controller to the 2198-Hxxx-ERS2 drive
 Configuration signature
If any differences are detected, the connection between the GuardLogix controller and the 2198-
Hxxx-ERS2 drive is lost, and the yellow yield icon appears in the controller project tree after you
download the program.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 18 of 23
11. Click Advanced button.
The Advanced Connection Reaction Time Limit Configuration dialog box appears.

Analyze each safety channel to determine the appropriate settings. The smallest Input RPI
allowed is 6ms. Selecting small RPI values consumes network bandwidth and can cause
nuisance trips because other devices cannot get access to the network.

12. Click OK to close the Advanced Connection Reaction Time Limit Configuration dialog box.
For more information about the Advanced Connection Reaction Time Limit Configuration, refer
to the GuardLogix 5570 Controllers User Manual, publication 1756-UM022.

13. Click OK to close the Module Properties dialog box.

Write Program Code

Let’s examine the ladder logic associated with using networked Safe Torque Off drives, hardwired
Safe Torque Off drives, and contactors. There are two zones in this example:
Zone 1 has five network Safe Torque Off drives and one motor that is safeguarded with
redundant contactors. This zone will utilize Stop Category 0, and coast to a stop upon a
safety demand.
Zone 2 has five network Safe Torque Off drives and one drive that is used in a hardwired
configuration. This zone will utilize Stop Category 1, and ramp to stop upon a safety
demand, removing power after a configurable time.
Each zone has the same inputs, including an Emergency Stop, a Light Curtain, and a SensaGuard
door monitor. Each zone is represented as a program with routines for Input, Logic, and Output.
The code in the Safety Task is based on ladder logic from the Safety Accelerator Toolkit and the
standard task is based on the Drives and Motion Accelerator Toolkit.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 19 of 23
Zone 1

1. From the Safety Task in the Controller Organizer, expand the Zone1 program.

2. Review the Inputs routine. The three input devices are in this routine. The E-Stop code is
shown here. There is extensive commentary in the rung descriptions that helps explain each
portion of the code.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 20 of 23
3. Review the Logic routine. These three rungs monitor the status of the inputs, restart
functionality, and setting of the Output Enable bit. This logic is quite simple functionally
(immediate removal of power), however there are more complex functions that can be
developed as well.

4. In the Outputs routine from Zone 1, there are two different examples. The first five devices are
all Network Safety drives, while the last example is a contactor.
The drives have much simpler code because they handle all of their own diagnostics and can
easily report back that information to the controller, as shown:

Note: This could even be combined into a simple Add-On Instruction for even more

5. The last two rungs of the Outputs routine from Zone 1 demonstrate the additional work that
needs to be included for contactors. The controller must manage all of the diagnostics for the
contactors, so the CROUT instruction is used to coordinate the timing of the actuation
command, feedback, and module statuses.

Zone 2

6. From the Safety Task in the Controller Organizer, expand the Zone2 program.

7. Since the Input routine is similar to Zone1, skip ahead and open the Logic routine.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 21 of 23
8. There is an important difference in this routine on the rung (rung 3) that energizes the Output
Enable bit.
The addition of the TOF instruction gives the standard task time to execute stopping instructions
to put the axes into a disabled state at a known position before the torque is removed. This is
essential for vertical loads and many other coordinated applications.

9. Open up routine MainTask -> P02_Zone2 -> R03_Control and examine rung 3.
Since these drives are only rated for Stop Category 0, the programmer should plan to execute
code in the Standard Task to bring the drives to a stop and disable them before the torque is
removed. This ensures that any mechanical brakes can be set before holding torque

The addition of the "\Zone2.Sts_Zone_InputsOK" tag provides a "Stop" command to the

application. This will stop the running sequence and reset sequence, and initiate the stopping
sequence. By doing this, you can program the machine to come to the controlled stop of your

10. Most of the Outputs routine remains unchanged. There is a difference in the last two rungs from
Zone 1. The Feedback parameters for the CROUT instruction are tied to tags mapped from the
Standard Task to the Safety Task. Open the routine and view this difference in the last two

11. Tag mapping is accomplished from the dialog box that appears after following the menu path;
Logic -> Map Safety Tags.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 22 of 23
12. Follow the path and view the dialog box.

Feedback for purely diagnostic purposes is a common function that uses mapping from the
Standard Task to the Safety Task. Reset functionality does not necessarily need to be "safety
rated", since many other safeguards are in place to prevent restart when dangerous situations
could occur, and represents another example of when to use Tag Mapping. Tag mapping
should not be abused, since putting logic in the Safety Task does not necessarily make it "safe",
but it can be a very helpful tool for appropriate uses.

13. Close the dialog box when finished.

14. To see how the mapped tag is energized, open up the DriveManagerTask -> P11_Axis_11 ->
R02_Monitor routine and look at rung 24. The Servo_Axis.GuardGateDriveOutputStatus tag is
used to reflect back to the Kinetix_STO_Feedback_Map tag, the status of the gate drivers in the
servo drive.

This concludes this lab.

Kinetix 5500 CIP Safety (Rev 1.00)

6/13/2014 Page 23 of 23